[Snort-users] Sizing a system for gigabit backbone

Erik Engberg Erik.Engberg at ...511...
Tue Oct 31 11:11:03 EST 2000


Depending on the level of traffic you have you can do a few things...
I am not saying your hardware spec will work or if it won´t but my guess is
that it can or will be overloaded on a heavily used network if you use a
normal set of rules (especially with hackers generating loads of abnormal

There are a few other things you can do though... 

For instance don´t bother with unneccessary rules, i.e trim the rules to the
bare essentials. Don´t bother with preprocessors...

And what i´d recommend: Separate the traffic flows so that multiple ids read

There are a few things you can use to do this.

Separate traffic to several span ports if possible with your switch.

Separate traffic to type. Let one engine handle smb, another http, another
ftp, another smtp and so on...

Load balance the traffic with a layer 7 switch with gigabit capacity.
Toplayers Appswitch markets as being an IDS load balancer. We are currently
evaluating that one here and it looks promising. Another alternative could
be Alteon switches (which are incredibly fast and nice to work with) for
instance, but that switch is performance and web oriented and only hashes
source/destinations where the Toplayer appswitch has stateful inspection
(yes, I gather it´d be quite fine as a firewall as well... we´ll test that
as well). Foundry and Arrowpoint (bought by Cisco) are other layer-7 switch
makers, but I´m not too impressed with those (Arrowpoint has an IDE

I´d recommend you to start with trying the fastest box you can muster and
test it at peak hours see what kind of load you get. Load the net even some
more and see how it holds up... If you are getting above 50% CPU and memory
used I´d say you need better hardware or load balancing to be on the same

Also, I´d raise a warning finger against spanning all ports on a switch. Not
all switches can handle that, and if network usage gets really high it can
also overload even a gigabit span. It all depends on your environment, which
I know nothing of.

To do high bandwidth IDS I can´t recommend Linux as it won´t show dropped
packets and BSDs usually handle traffic somewhat better. Myself I prefer
OpenBSD. FreeBSD should work just as fine though (I guess?).

Good luck and let us know how you handle it. We could need some more high
bandwidth reference cases here, if I am not mistaken?


-----Original Message-----
From: Archive User [mailto:archive at ...736...]
Sent: den 31 oktober 2000 09:36
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Sizing a system for gigabit backbone


I am trying to come up with some hardware recommendations
for a new snort IDS system I want to put on my lan. Unfortunaly
we are on a totally switched 100mbit network. I can setup a
mirror port on one of my switches so I can link up with a 
giganit nic and sniff the entire lan, but I am totally lost 
when it comes to sizing a snort system for this level of traffic. 
I am thinking of going with freebsd or linux since I know I am going
to need multiple procs. Would 2 x 1 ghz processors with a gig of ram work?
Is anyone running a snort ids at these traffic levels?  Any suggestions?

Thanks.. Mike

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list